Owners of the YubiKey Neo beware. A Chrome feature Google introduced last year has the unintended consequence of being able to bypass one of the security key's protections.

The Chrome feature, WebUSB, lets a website access a USB device connected to your PC. However, two security researchers tellWired that it can be used to phish a YubiKey NEO device.

Normally, the security key works like this: When logging into a website, you connect the device to your PC. It then signs an authentication request between the website and the YubiKey, unlocking access to your account. But before the key does any of this, it'll use your internet browser to check that the website you're accessing is legit and not a fake page. This step is an important reason why YubiKey Neo maker Yubico calls the devices "unphishable."

Unfortunately, Google inadvertently introduced a workaround; WebUSB can trick the security key into skipping this process. The researchers, Markus Vervier and Michele Orru, created a fake website with WebUSB that'll directly access a YubiKey Neo, without initiating the website check.

Clever hackers could exploit WebUSB to craft phishing-style attacks, the duo warns. Imagine getting sent a fake Google login page and falling for the trap. You'll not only end up handing over your password. The fake login page can also interface with the YubiKey to complete the login process. The only thing preventing the access is Chrome will ask for permission to enable WebUSB to connect to the YubiKey.

On Friday, Yubico confirmed the problem, but said it only appears to affect the company's YubiKey Neo product. The vendor published a security advisory with more details. It's advising that customers click "Cancel" whenever the Chrome browser requests WebUSB access to a YubiKey device. "For the phishing attack to succeed, the user would also have to touch the key [the flashing green button] to approve the authentication request," the company said.

In a bit of irony, Google has been promoting the YubiKey Neo as a product that works with its Advanced Protection Program, which is designed to protect your Google account from the sneakiest phishing attacks.

Fortunately, the search giant is developing a short-term fix that'll roll out in an upcoming Chrome release, Google product manager Christiaan Brand said in a statement.

"We are always appreciative of researchers' work to help protect our users," he said, adding "We aren't aware of any evidence that the vulnerability has been exploited."

About the Author

Michael has been a PCMag reporter since October 2017. He previously covered tech news in China from 2010 to 2015, before moving to San Francisco to write about cybersecurity. He covers a variety of tech news topics, including consumer devices, digital privacy issues, computer hacking, artificial intelligence, online communities and gaming.
His ... See Full Bio

Get Our Best Stories!

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.